How to Protect Plists (property lists) in iOS apps

Learn the 3 easy steps to Protect Plists in iOS apps to safeguard information about the app bundle, its contents and how the app is packaged and configured.

What is a Plist (property list)? 

In iOS apps, a plist (aka ‘property list’) is a structured text file that contains metadata about the app which are essential for the app to run. Plists are collections of key-value pairs (such as a dictionary list) that specify how the system should interpret the associated bundle. Some key-value pairs characterize the bundle itself, while others configure the app, framework, or other entity that the bundle represents. Some keys are required, while others are specific to particular features of the executable.

iOS apps can have multiple plists for specific functions, and the details of what to include in the property list vary by executable type and by platform. However, all iOS apps must have the at least one plist (info.plist is the default property list supplied by Xcode when you create a project).

Why Should Developers Protect Plists iOS Apps? 

The data stored inside Plists often contains information that enables malicious users to harvest private data, understand app configuration or functionality, or alter values of strings, app permissions and other sensitive app resources.

Here are some specific ways in which Plists can be abused or modified by cyber-criminals:

  • Mobile game cheating – by changing the values of game properties such as coins, gems, lives, powers, game scores or any other values stored in plists
  • Disabling mobile ads
  • Changing app bundle ID
  • Harvesting or altering information about advertising or engagement SDKs or libraries used to track mobile users
  • Changing app permissions
  • Requesting access to private user data
  • Change Build number and bundle IDs
  • Request permissions to OS resources: AccessibiltyServices, Location, Camera, Contacts, Microphone, Bluetooth, etc

Mobile developers can Protect Plists in any iOS apps with no code or coding. Appdome’s Protect Plist feature encrypts all plist files (properties files) in the .ipa, except info.plist, and plists related to app signing (like entitlements, provisioning profiles).

Appdome is a no-code mobile app security platform designed to add security features, like Protect Plists to any iOS app without coding. This KB shows mobile developers, DevSec and security professionals how to use Appdome’s simple ‘click to build’ user interface to quickly and easily protect properties lists in iOS apps.

3 Easy Steps to Protect Plists in iOS apps

 Please follow these 3 easy steps to Protect Plists in iOS apps using Appdome.  

  1. Upload a mobile app binary (.apk, .aab or .ipa)
  2. In the Build Tab, under Anti-Fraud, Select Mobile Fraud Prevention and Toggle on Protect Plist (shown below)
  3. Click Build My App

Optional: Toggle on Protect info.plist

encrypt info.plist

 

Congratulations! The app is now protected with Appdome’s Protect Plists feature

 

 

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android and iOS apps with Plist encryption. When a user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Additional Information About Plist Encryption

Every app and plug-in uses info.plist to store data so the system can easily access it. The following key types cannot be encrypted because they need to be accessible to both the OS and the application:

  • Core Foundation Keys (start with CF prefix),
  • Cocoa Keys (start with NS prefix),
  • iOS Keys (start with UI prefix),
  • DT Xocde keys (start with DT prefix),

When you submit the secured app to Apple’s App Store, the above keys should be left unencrypted either because they are core foundation keys, define the target platform for the app (iOS, watchOS, etc.), used to configure the appearance of your app at launch and runtime or are added by Apple via Xcode.

Prerequisites

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secured iOS apps with Protect Plists. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Apps 

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.

More Mobile App Security Resources

Here are a few related resources:

How to Prevent App Signing by Unauthorized Developers

How to Prevent non-approved Android, iOS app store publishing

How to Block Frida Toolkits 

Block Magisk Manager and Magisk Hide

Check out Appdome’s Mobile Fraud Prevention or request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Alan Bavosa

Have a question?

Ask an expert

ChrisMaking your security project a success!

Get Your Copy
2021 Global Mobile
Consumer Security
Survey